Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security issue in returning post parameters from session in callback phase #867

Merged
merged 1 commit into from Jan 17, 2017
Merged

security issue in returning post parameters from session in callback phase #867

merged 1 commit into from Jan 17, 2017

Conversation

lalithr95
Copy link
Contributor

@lalithr95 lalithr95 commented Jan 11, 2017
edited

Request phase of omniauth store request.params in session which are later assigned in env of callback phase. According do docs we should only store query params but in this case both GET and POST params get stored. POST params can contain authenticity_token of application to protect form CSRF issues. We shouldn't leak such tokens from POST params.

@sferik @jamesarosen @md5

@lalithr95
Copy link
Contributor Author

ping ? due to security concern

@jamesarosen
Copy link
Contributor

I haven't been involved in this project in years and know nothing about this.

@sferik sferik merged commit 61df4e8 into omniauth:master Jan 17, 2017
@sferik
Copy link
Contributor

sferik commented Jan 17, 2017

@lalithr95 Thanks!

stevendanna added a commit to chef/chef-server that referenced this pull request Jan 18, 2017
@stevendanna
[oc-id] Bump omniauth to 1.3.2
bbd2810 
Recently, omniauth shipped a fix to a security vulnerability:

  omniauth/omniauth#867

I haven't investigated whether this is a serious issue for us, but it
seemed prudent to just try an update.

Signed-off-by: Steven Danna <steve@chef.io>
@stevendanna stevendanna mentioned this pull request Jan 18, 2017
Merged
robbkidd added a commit to chef/supermarket that referenced this pull request Jan 18, 2017
@robbkidd
update omniauth to fix security issue
2d314c6 
Described in omniauth/omniauth#867

Signed-off-by: Robb Kidd <rkidd@chef.io>
@robbkidd robbkidd mentioned this pull request Jan 18, 2017
Merged
marcparadise pushed a commit to chef/chef-server that referenced this pull request Jan 20, 2017
@stevendanna @marcparadise
[oc-id] Bump omniauth to 1.3.2
20e2974 
Recently, omniauth shipped a fix to a security vulnerability:

  omniauth/omniauth#867

I haven't investigated whether this is a serious issue for us, but it
seemed prudent to just try an update.

Signed-off-by: Steven Danna <steve@chef.io>
@skorth skorth mentioned this pull request Jan 25, 2017
Closed
@jamiemccarthy jamiemccarthy mentioned this pull request Oct 27, 2017
Merged
@carnil
Copy link

carnil commented Jan 26, 2018

This issue has been assigned CVE-2017-18076 by MITRE.

@BobbyMcWho BobbyMcWho mentioned this pull request Dec 3, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@lalithr95 @jamesarosen @sferik @carnil